DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the Appeal Brief filed on 9/25/2020. Claims 1-20 are pending. This Office Action is Non-Final.

In view of the Appeal Brief filed on 9/25/2020, PROSECUTION IS HEREBY REOPENED. A New Ground of Rejection is set forth below.
To avoid abandonment of the application, appellant must exercise one of the following two options:
(1) file a reply under 37 CFR 1.111 (if this Office action is non-final) or a reply under 37 CFR 1.113 (if this Office action is final); or,
(2) initiate a new appeal by filing a notice of appeal under 37 CFR 41.31 followed by an appeal brief under 37 CFR 41.37. The previously paid notice of appeal fee and appeal brief fee can be applied to the new appeal. If, however, the appeal fees set forth in 37 CFR 41.20 have been increased since they were previously paid, then appellant must pay the difference between the increased fees and the amount previously paid.
A Supervisory Patent Examiner (SPE) has approved of reopening prosecution by signing below:


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439                                                                                                                                                                                                        


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-17 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.
Regarding claims 1 and 11
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea.   As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic computer content distributing functions routinely used in information technology field. See US Applications 2013/0254535, 2015/0156194 and 2011/0154027.  As discussed above, the additional elements recited at a high-level of generality such that they amount no more than mere instructions to apply the exception using a generic computer component.  Therefore, the claim is directed to non-statutory subject matter. The Examiner respectfully suggests that the claim be further amended to positively recite at least one step of the claimed method is performed by a particular machine/computing device to make the claim statutory under 35 U.S.C. 101.
Regarding claims 2-10 and 12-17; claims 2-10 and 12-17 are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reasons.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 


An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 

Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform 
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Response to Arguments
	A) Applicant’s arguments regarding 35 USC 101 for no hardware embodiment have been considered and deemed persuasive, specifically regarding Claim 1.  As a result the 35 USC 101 rejection for no hardware embodiment, regarding claim 1, is withdrawn.

	B) Applicant’s arguments with respect to claim(s) 1, 11 and 18 have been considered but are moot because the new ground of rejection does not rely on any 


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically teachd as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-3, 6-8, 10-13 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nariswa et al. (US 2016/0304040) in view of Dabak (US 2019/0156036).

As per claim 1, Nariswa teaches a data processing system comprising: processor circuitry; a process identifier unit configured to track process identifier values associated with activities occurring within the processor circuitry (Nariswa, Paragraph 0024 recites “FIG. 2 is a configuration diagram of control software 150 executed by the processor 112. The control software 150 is stored in the ROM 114. The control software 150 is read into the RAM 113 when necessary. The control software 150 includes a high safety program 151, a validity checker 152, a process request manager 153, an authority controller 154, a result holder 155, and a low safety program 156. The process request manager 153 further includes a priority determinator 1531, and a priority controller 1532.”).
But Nariswa fails to teach a process identifier transition monitor configured to determine when a transition of the tracked process identifier values from a first value to a second value is illegitimate.
However, in an analogous art Dabak teaches a process identifier transition monitor configured to determine when a transition of the tracked process identifier values from a first value to a second value is illegitimate (Dabak, Paragraph 0044 recites “The request includes a process identifier (ID) for the thread. In response to detecting the request, a determination is made as to whether the process ID for the current process is different from the process ID for the thread and different from the process ID for a parent process of the thread. If it is determined that the process ID for the current process is different from the process ID for the thread and/or different from the process ID for the parent process of the thread, additional checks are performed. …, the request to create a new thread is classified as an attempt at lateral movement associated with malware and a security monitoring system is notified for taking suitable action based on a policy associated with the host 302 as discussed earlier.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Dabak’s detecting arbitrary code execution using a hypervisor with Narisawa’s vehicle control device because the use of checking related processes will give a system a baseline on what is considered to be acceptable behavior of a process to prevent unauthorized executions. 

As per claim 2, Nariswa in combination with Dabak teaches the data processing system as recited in claim 1, Nariswa further teaches the process identifier transition monitor configured to output a signal as a function of a determination that the transition of the tracked process identifier values is illegitimate (Nariswa, Paragraph 0040 recites “The validity checker 152 sets an error as a processing result for the request issued by the low safety program 156 indicating that the range of the process ID 301 was invalid. After this step, the process skips to step S508.”). 

As per claim 3, Nariswa in combination with Dabak teaches the data processing system as recited in claim 1, Dabak further teaches wherein the illegitimate transition of (Dabak, Paragraph 0044 recites “The request includes a process identifier (ID) for the thread. In response to detecting the request, a determination is made as to whether the process ID for the current process is different from the process ID for the thread and different from the process ID for a parent process of the thread. If it is determined that the process ID for the current process is different from the process ID for the thread and/or different from the process ID for the parent process of the thread, additional checks are performed. …, the request to create a new thread is classified as an attempt at lateral movement associated with malware and a security monitoring system is notified for taking suitable action based on a policy associated with the host 302 as discussed earlier.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Dabak’s detecting arbitrary code execution using a hypervisor with Narisawa’s vehicle control device because the use of checking related processes will give a system a baseline on what is considered to be acceptable behavior of a process to prevent unauthorized executions. 

As per claim 6, Nariswa in combination with Dabak teaches the data processing system as recited in claim 1, Dabak further teaches wherein the process identifier transition monitor includes a lookup table configured to contain entries that indicate which transitions of tracked process identifier values are legitimate and which transitions of tracked process identifier values are illegitimate (Dabak, Paragraph 0044 recites “The request includes a process identifier (ID) for the thread. In response to detecting the request, a determination is made as to whether the process ID for the current process is different from the process ID for the thread and different from the process ID for a parent process of the thread. If it is determined that the process ID for the current process is different from the process ID for the thread and/or different from the process ID for the parent process of the thread, additional checks are performed. …, the request to create a new thread is classified as an attempt at lateral movement associated with malware and a security monitoring system is notified for taking suitable action based on a policy associated with the host 302 as discussed earlier.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Dabak’s detecting arbitrary code execution using a hypervisor with Narisawa’s vehicle control device because the use of checking related processes will give a system a baseline on what is considered to be acceptable behavior of a process to prevent unauthorized executions. 

As per claim 7, Nariswa in combination with Dabak teaches the data processing system as recited in claim 7, Dabak further teaches wherein the process identifier transition monitor is configured to capture the first and second values of the tracked process identifier and perform a lookup of the transition in the lookup table to determine whether the transition has been predetermined to be legitimate or illegitimate (Dabak, Paragraph 0044 recites “The request includes a process identifier (ID) for the thread. In response to detecting the request, a determination is made as to whether the process ID for the current process is different from the process ID for the thread and different from the process ID for a parent process of the thread. If it is determined that the process ID for the current process is different from the process ID for the thread and/or different from the process ID for the parent process of the thread, additional checks are performed. …, the request to create a new thread is classified as an attempt at lateral movement associated with malware and a security monitoring system is notified for taking suitable action based on a policy associated with the host 302 as discussed earlier.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Dabak’s detecting arbitrary code execution using a hypervisor with Narisawa’s vehicle control device because the use of checking related processes will give a system a baseline on what is considered to be acceptable behavior of a process to prevent unauthorized executions. 

As per claim 8, Nariswa in combination with Dabak teaches the data processing system as recited in claim 2, Nariswa further teaches wherein the process identifier transition monitor is configured to select a predetermined response associated with the illegitimate transition, wherein the signal is delivered to a portion of the data processing system as a function of the selected predetermined response (Nariswa, Paragraph 0040 recites “The validity checker 152 sets an error as a processing result for the request issued by the low safety program 156 indicating that the range of the process ID 301 was invalid. After this step, the process skips to step S508.”).  

As per claim 10, Nariswa in combination with Dabak  teaches the data processing system as recited in claim 6, Dabak further teaches wherein a legitimate (Dabak, Paragraph 0044 recites “The request includes a process identifier (ID) for the thread. In response to detecting the request, a determination is made as to whether the process ID for the current process is different from the process ID for the thread and different from the process ID for a parent process of the thread. If it is determined that the process ID for the current process is different from the process ID for the thread and/or different from the process ID for the parent process of the thread, additional checks are performed. …, the request to create a new thread is classified as an attempt at lateral movement associated with malware and a security monitoring system is notified for taking suitable action based on a policy associated with the host 302 as discussed earlier.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Dabak’s detecting arbitrary code execution using a hypervisor with Narisawa’s vehicle control device because the use of checking related processes will give a system a baseline on what is considered to be acceptable behavior of a process to prevent unauthorized executions. 

As per claim 11, Nariswa teaches a method comprising: monitoring a transition of process identifier values tracked within a data processing system (Nariswa, Paragraph 0024 recites “FIG. 2 is a configuration diagram of control software 150 executed by the processor 112. The control software 150 is stored in the ROM 114. The control software 150 is read into the RAM 113 when necessary. The control software 150 includes a high safety program 151, a validity checker 152, a process request manager 153, an authority controller 154, a result holder 155, and a low safety program 156. The process request manager 153 further includes a priority determinator 1531, and a priority controller 1532.”).
But fails to teach determining when the transition of process identifier values represents an illegitimate transition of the process identifier values.
However, in an analogous art Dabak teaches determining when the transition of process identifier values represents an illegitimate transition of the process identifier values (Dabak, Paragraph 0044 recites “The request includes a process identifier (ID) for the thread. In response to detecting the request, a determination is made as to whether the process ID for the current process is different from the process ID for the thread and different from the process ID for a parent process of the thread. If it is determined that the process ID for the current process is different from the process ID for the thread and/or different from the process ID for the parent process of the thread, additional checks are performed. …, the request to create a new thread is classified as an attempt at lateral movement associated with malware and a security monitoring system is notified for taking suitable action based on a policy associated with the host 302 as discussed earlier.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Dabak’s detecting arbitrary code execution using a hypervisor with Narisawa’s vehicle control device because the use of checking related 

As per claim 12, Nariswa in combination with Dabak teaches the method as recited in claim 11, Dabak further teaches wherein the monitoring of the transition of process identifier values further comprises: capturing a first process identifier value from a process identifier unit associated with a processor and capturing a second process identifier value from the process identifier unit, wherein the determining when the transition of process identifier values represents the illegitimate transition of the process identifier values further comprises using the first and second captured process identifier values to perform a lookup in a lookup table, resulting in the determination that the transition of process identifier values represents the illegitimate transition (Dabak, Paragraph 0044 recites “The request includes a process identifier (ID) for the thread. In response to detecting the request, a determination is made as to whether the process ID for the current process is different from the process ID for the thread and different from the process ID for a parent process of the thread. If it is determined that the process ID for the current process is different from the process ID for the thread and/or different from the process ID for the parent process of the thread, additional checks are performed. …, the request to create a new thread is classified as an attempt at lateral movement associated with malware and a security monitoring system is notified for taking suitable action based on a policy associated with the host 302 as discussed earlier.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Dabak’s detecting arbitrary code execution using a hypervisor with Narisawa’s vehicle control device because the use of checking related processes will give a system a baseline on what is considered to be acceptable behavior of a process to prevent unauthorized executions. 

As per claim 13, Nariswa in combination with Dabak teaches the method as recited in claim 11, Nariswa further teaches triggering a predetermined response as a function of the determining of the illegitimate transition of the process identifier values (Nariswa, Paragraph 0040 recites “The validity checker 152 sets an error as a processing result for the request issued by the low safety program 156 indicating that the range of the process ID 301 was invalid. After this step, the process skips to step S508.”).  

As per claim 18, Nariswa teaches a data processing system comprising: a processor; a process identifier unit configured to track process identifier values associated with activities occurring within the processor; and a process identifier transition monitor configured to determine whether a transition of the tracked process identifier values from a first value to a second value is legitimate or illegitimate, wherein the process identifier transition monitor further comprises (Nariswa, Paragraph 0024 recites “FIG. 2 is a configuration diagram of control software 150 executed by the processor 112. The control software 150 is stored in the ROM 114. The control software 150 is read into the RAM 113 when necessary. The control software 150 includes a high safety program 151, a validity checker 152, a process request manager 153, an authority controller 154, a result holder 155, and a low safety program 156. The process request manager 153 further includes a priority determinator 1531, and a priority controller 1532.”): 
circuitry for capturing the first process identifier value from the process identifier unit (Nariswa, Paragraph 0035 recites “The head pointer 401 is a pointer pointing a job to be executed first in the job list stored in the execution waiting job list 400. The process ID 402 s an identifier of the job to be executed. The process ID 402 corresponds to the process ID 301 when the low safety program 156 calls functions in the high safety program 151. The priority 403 is a priority level when executing the relevant job. The priority 403 corresponds to the execution priority 303 when the low safety program 156 calls functions in the high safety program 151. The argument 404 is an argument assigned to the relevant job. The argument 404 corresponds to the argument 304 when the low safety program 156 calls functions in the high safety program 151. The next pointer is a pointer pointing the next element in the execution waiting job list 400.” Processes will be executed, where each process has an id, wherein the next pointer will call the next process.  The following steps of determining if the called process is valid as explained below.);
and circuitry for triggering a predetermined response to the determination that the transition of the tracked process identifier values from the first value to the second value represents an illegitimate transition of process identifier values (Nariswa, Paragraph 0040 recites “The validity checker 152 sets an error as a processing result for the request issued by the low safety program 156 indicating that the range of the process ID 301 was invalid. After this step, the process skips to step S508.”). 
But fails to teach circuitry for capturing the second process identifier value from the process identifier unit; circuitry for performing a lookup in a permission matrix configured to contain entries that indicate which transitions of tracked process identifier values are legitimate and which transitions of tracked process identifier values are illegitimate; circuitry for determining from the entries in the permission matrix that the transition of the tracked process identifier values from the first value to the second value represents an illegitimate transition of process identifier values.
However, in an analogous art Dabak teaches circuitry for capturing the second process identifier value from the process identifier unit; circuitry for performing a lookup in a permission matrix configured to contain entries that indicate which transitions of tracked process identifier values are legitimate and which transitions of tracked process identifier values are illegitimate; circuitry for determining from the entries in the permission matrix that the transition of the tracked process identifier values from the first value to the second value represents an illegitimate transition of process identifier values (Dabak, Paragraph 0044 recites “The request includes a process identifier (ID) for the thread. In response to detecting the request, a determination is made as to whether the process ID for the current process is different from the process ID for the thread and different from the process ID for a parent process of the thread. If it is determined that the process ID for the current process is different from the process ID for the thread and/or different from the process ID for the parent process of the thread, additional checks are performed. …, the request to create a new thread is classified as an attempt at lateral movement associated with malware and a security monitoring system is notified for taking suitable action based on a policy associated with the host 302 as discussed earlier.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Dabak’s detecting arbitrary code execution using a hypervisor with Narisawa’s vehicle control device because the use of checking related processes will give a system a baseline on what is considered to be acceptable behavior of a process to prevent unauthorized executions. 

Claims 4 and 5 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nariswa et al. (US 2016/0304040) and Dabak (US 2019/0156036) and in further view of Katmor et al. (US 2016/0149937).

As per claim 4, Nariswa in combination with Dabak teaches the data processing system as recited in claim 1, but fails to teach wherein the illegitimate transition of the tracked process identifier values represents an occurrence of a cyberattack received within the data processing system.
However, in an analogous art Katmor teaches wherein the illegitimate transition of the tracked process identifier values represents an occurrence of a cyberattack received within the data processing system (Katmor, Paragraphs 0108 and 0109, recites “Verifying the process executable file format. Invalid formats may be associated with malicious code. Multiple clients may be monitored together. Monitoring data from multiple gateways may be analyzed together. Stack data collected from the multiple clients at the gateway and/or data from multiple gateways may be analyzed together to identify a pattern of malicious activity, for example, malware infection spreading from client to client, and/or establishment of a coordinated attack from multiple clients establishing network connections to a single target server and/or to multiple target servers within a short period of time.” Malicious code is considered to be a cyberattack, and Katmor teaches identifying the malicious code.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Katmor’s systems and methods for malicious code detection with Narisawa’s vehicle control device because it offers the advantage of preventing the spread of malware infection.

As per claim 5, Nariswa in combination with Dabak teaches the data processing system as recited in claim 1, but fails to teach wherein the illegitimate transition of the tracked process identifier values represents an unexpected execution in the processor circuitry of a certain first thread after execution of a certain second thread.
	However, in an analogous art Katmor teaches wherein the illegitimate transition of the tracked process identifier values represents an unexpected execution in the processor circuitry of a certain first thread after execution of a certain second thread (Katmor, Paragraph 0170 recites “Optionally, at 510A, the current thread is marked as malicious when the call stack is invalid. Alternatively or additionally, at 512A, the parent thread is analyzed to determine when the parent thread has injected the thread into the process. The injected thread may be detected based on the process of the threads. For example, when the process of the parent thread is different than the process of the current thread, the current thread is considered an injection.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Katmor’s systems and methods for malicious code detection with Narisawa’s vehicle control device because it offers the advantage of ensuring that proper threads are processing in order and are not foreign.
  

Claims 9 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nariswa et al. (US 2016/0304040) and Dabak (US 2019/0156036) and in further view of Maluf et al. (US 2019/0308589).

As per claim 9, Nariswa in combination with Dabak teaches the data processing system as recited in claim 2 but fails to teach, wherein the signal is configured to cause a vehicle to shut down its drive train or a warning to be transmitted to a driver or passenger of the vehicle. 
	However, in an analogous art Maluf teaches wherein the signal is configured to cause a vehicle to shut down its drive train or a warning to be transmitted to a driver or passenger of the vehicle (Maluf, Paragraph 0115 recites “e techniques herein provide for the modeling of vehicle states that can be leveraged for purposes of intrusion detection on the network of the vehicle. In some aspects, if the actual measurements on the network of the vehicle differ from the modeled behavior by a threshold amount, this may indicate a potential malicious intrusion of the network. In turn, the intrusion detection system (IDS) of the vehicle can initiate a mitigation action, such as alerting the driver as to the intrusion, etc.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Maluf’s vehicle network intrusion detection system (ids) using vehicle state predictions with Narisawa’s vehicle control device because it offers the advantage of ensuring that a vehicle or driver is aware of an intrusion and proper action can be taken.

As per claim 15, Nariswa in combination with Dabak teaches the method as recited in claim 13, but fails to teach wherein the predetermined response is a signal sent to a vehicle system controller that is configured to perform a specified function in response to the signal.
However, in an analogous art Maluf teaches wherein the predetermined response is a signal sent to a vehicle system controller that is configured to perform a specified function in response to the signal (Maluf, Paragraph 0115 recites “e techniques herein provide for the modeling of vehicle states that can be leveraged for purposes of intrusion detection on the network of the vehicle. In some aspects, if the actual measurements on the network of the vehicle differ from the modeled behavior by a threshold amount, this may indicate a potential malicious intrusion of the network. In turn, the intrusion detection system (IDS) of the vehicle can initiate a mitigation action, such as alerting the driver as to the intrusion, etc.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Maluf’s vehicle network intrusion detection system (ids) using .

Claim 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nariswa et al. (US 2016/0304040) and Dabak (US 2019/0156036) and in further view of Hauke et al. (US 2015/0121519).
As per claim 14, Nariswa in combination with Dabak teaches the method as recited in claim 13, but fails to teach wherein the predetermined response is a reset of the processor to a predetermined known state. 
	However, in an analogous art Hauke teaches wherein the predetermined response is a reset of the processor to a predetermined known state (Hauke, Paragraph 0036 recites “In one embodiment, P state security logic 152 is operative to implement a security function in response to the unsecure condition. Exemplary security functions include stopping the P state change, resetting the processor 150, powering down the processor 150, forcing the processor 150 into an appropriate P state, or any other suitable security function.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Hauke’s system and method for monitoring and controlling a performance state change with Narisawa’s vehicle control device because it offers the advantage of preventing any further security incidents by reverting back to a known safe state.

Claims 16, 17 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nariswa et al. (US 2016/0304040) and Dabak (US 2019/0156036) and in further view of Chai et al. (US 2017/0364792).

As per claim 16, Nariswa in combination with Dabak teaches the method as recited in claim 11, but fails to teach wherein the illegitimate transition represents an occurrence of a certain activity within a processor within the data processing system, wherein the certain activity is an unexpected execution of a first thread of instructions immediately subsequent to an execution of a second thread of instructions.
However, in an analogous art Chia teaches wherein the illegitimate transition represents an occurrence of a certain activity within a processor within the data processing system, wherein the certain activity is an unexpected execution of a first thread of instructions immediately subsequent to an execution of a second thread of instructions (Chai, Paragraph 0093 recites “warning signal could generated when, for example, a predicted processor state does not match the actual state. For example, certain processor events may not occur at particular times or with certain patterns as expected, or certain events may be observed at particular times or with certain suspicious or otherwise unlikely patterns. In certain configurations, the generative DNN may learn normal processor behavior, which could be altered by active malware (e.g., unexpected branching and/or faults and exceptions). More complex behaviors (e.g., unexpected sequences of instructions or events) can also trigger a warning (e.g., a read from memory and transfer of data over a network). The generative DNN, on the processor itself, can thus be involved in learning and monitoring processor behaviors.” Here and unexpected sequence would read on a first thread and a second thread being unexpected because by being out of sequence it would be outside of the expected behavior).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Chai’s systems and methods for optimizing operations of computing devices using deep neural networks with Narisawa’s vehicle control device because it offers the advantage of protecting processors from anomalies.

As per claim 17, Nariswa in combination with Dabak teaches the method as recited in claim 11, but fails to teach wherein the illegitimate transition represents an occurrence of a certain activity within a processor within the data processing system, wherein the certain activity is selected from the group consisting of an execution of unexpected software code by the processor, an occurrence of a cyberattack received.
However, in an analogous art Chai teaches wherein the illegitimate transition represents an occurrence of a certain activity within a processor within the data processing system, wherein the certain activity is selected from the group consisting of an execution of unexpected software code by the processor, an occurrence of a cyberattack received (Chai, Paragraph 0093 recites “warning signal could generated when, for example, a predicted processor state does not match the actual state. For example, certain processor events may not occur at particular times or with certain patterns as expected, or certain events may be observed at particular times or with certain suspicious or otherwise unlikely patterns. In certain configurations, the generative DNN may learn normal processor behavior, which could be altered by active malware (e.g., unexpected branching and/or faults and exceptions). More complex behaviors (e.g., unexpected sequences of instructions or events) can also trigger a warning (e.g., a read from memory and transfer of data over a network). The generative DNN, on the processor itself, can thus be involved in learning and monitoring processor behaviors.” Here and unexpected sequence would read on a first thread and a second thread being unexpected because by being out of sequence it would be outside of the expected behavior.  See Also Paragraph 0080 for anomaly detection because of cyberattacks.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Chai’s systems and methods for optimizing operations of computing devices using deep neural networks with Narisawa’s vehicle control device because it offers the advantage of protecting processors from anomalies.

As per claim 19, Nariswa in combination with Dabak teaches the data processing system as recited in claim 18, but fails to teach wherein the illegitimate transition of the tracked process identifier values represents the processor entering an unknown or unexpected state of operation, wherein the activities are execution of different threads of instructions within the processor.
However, in an analogous art Chai teaches wherein the illegitimate transition of the tracked process identifier values represents the processor entering an unknown or unexpected state of operation, wherein the activities are execution of different threads of instructions within the processor (Chai, Paragraph 0093 recites “warning signal could generated when, for example, a predicted processor state does not match the actual state. For example, certain processor events may not occur at particular times or with certain patterns as expected, or certain events may be observed at particular times or with certain suspicious or otherwise unlikely patterns. In certain configurations, the generative DNN may learn normal processor behavior, which could be altered by active malware (e.g., unexpected branching and/or faults and exceptions). More complex behaviors (e.g., unexpected sequences of instructions or events) can also trigger a warning (e.g., a read from memory and transfer of data over a network). The generative DNN, on the processor itself, can thus be involved in learning and monitoring processor behaviors.” Here and unexpected sequence would read on a first thread and a second thread being unexpected because by being out of sequence it would be outside of the expected behavior.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Chai’s systems and methods for optimizing operations of computing devices using deep neural networks with Narisawa’s vehicle control device because it offers the advantage of protecting processors from anomalies.

Claim 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nariswa et al. (US 2016/0304040), Dabak (US 2019/0156036) and Chai et al. (US 2017/0364792) and in further view of  Hauke et al. (US 2015/0121519).

As per claim 20, Nariswa in combination with Dabak and Chai teaches the data processing system as recited in claim 19, but fails to teach wherein the predetermined response is selected from the group consisting of resetting the processor to a known 
However, in an analogous art Hauke teaches wherein the predetermined response is selected from the group consisting of resetting the processor to a known state of operation, rebooting the processor, and deactivating the data processing system (Hauke, Paragraph 0036 recites “In one embodiment, P state security logic 152 is operative to implement a security function in response to the unsecure condition. Exemplary security functions include stopping the P state change, resetting the processor 150, powering down the processor 150, forcing the processor 150 into an appropriate P state, or any other suitable security function.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Hauke’s system and method for monitoring and controlling a performance state change with Narisawa’s vehicle control device because it offers the advantage of preventing any further security incidents by reverting back to a known safe state.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661.  The examiner can normally be reached on Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439       



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439